diff options
author | Izorkin <izorkin@elven.pw> | 2020-05-14 20:29:59 +0300 |
---|---|---|
committer | Izorkin <izorkin@elven.pw> | 2020-06-10 12:38:40 +0300 |
commit | df7e52814d8d578a948e8e7b15404e982971e5d1 (patch) | |
tree | d69ba20769f32937dd6ff8590c4929f0fffd82e3 /nixos/modules/services | |
parent | 0ba7e1ae981b7290d8934701eb67b56effd46146 (diff) | |
download | nixlib-df7e52814d8d578a948e8e7b15404e982971e5d1.tar nixlib-df7e52814d8d578a948e8e7b15404e982971e5d1.tar.gz nixlib-df7e52814d8d578a948e8e7b15404e982971e5d1.tar.bz2 nixlib-df7e52814d8d578a948e8e7b15404e982971e5d1.tar.lz nixlib-df7e52814d8d578a948e8e7b15404e982971e5d1.tar.xz nixlib-df7e52814d8d578a948e8e7b15404e982971e5d1.tar.zst nixlib-df7e52814d8d578a948e8e7b15404e982971e5d1.zip |
nixos/mysql: enable sandbox mode
Diffstat (limited to 'nixos/modules/services')
-rw-r--r-- | nixos/modules/services/databases/mysql.nix | 35 |
1 files changed, 30 insertions, 5 deletions
diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix index 51885881cf73..0052094697b2 100644 --- a/nixos/modules/services/databases/mysql.nix +++ b/nixos/modules/services/databases/mysql.nix @@ -367,11 +367,7 @@ in ''; serviceConfig = { - User = cfg.user; - Group = "mysql"; Type = if hasNotify then "notify" else "simple"; - RuntimeDirectory = "mysqld"; - RuntimeDirectoryMode = "0755"; Restart = "on-abort"; RestartSec = "5s"; # The last two environment variables are used for starting Galera clusters @@ -452,7 +448,7 @@ in cat ${toString cfg.initialScript} | ${mysql}/bin/mysql -u root -N ''} - rm /tmp/mysql_init + rm ${cfg.dataDir}/mysql_init fi ${optionalString (cfg.ensureDatabases != []) '' @@ -476,6 +472,35 @@ in # ensureDatbases & ensureUsers depends on this script being run as root # when the user has secured their mysql install "+${setupScript}"; + # User and group + User = cfg.user; + Group = "mysql"; + # Runtime directory and mode + RuntimeDirectory = "mysqld"; + RuntimeDirectoryMode = "0755"; + # Access write directories + ReadWritePaths = [ cfg.dataDir ]; + # Capabilities + CapabilityBoundingSet = ""; + # Security + NoNewPrivileges = true; + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; }; }; |